MagnoliaJS 2023

MagnoliaJS is the premier web development conference hosted in the capitol city of Mississippi at the Mississippi Museum of Art downtown. With all the stories of Mississippi as a failing state, it is important to recognize MagnoliaJS as an opportunity for people in the web industry to learn about the state from its storied museums. The art museum in particular is an excellent community center and venue for this conference, as well as being rich with catering options from close by!

1. Why do I want to attend MagnoliaJS

I won’t lie: the food is a big draw. There’s great food in Jackson and MagnoliaJS is a great chance for it to be showcased in front of a national (sometimes global) audience.

Another, more personal reason is that the conference organizers are friends of mine who I want to support. The conference is also quite emphatic about accessibility and inclusion as themes and as a policy, so everything from the registration process to attendance is demonstrative of these values. MagnoliaJS will begin on Tuesday, October 17, with a talk on accessibility and neurodiversity from Homer Gaines. I’m also looking forward to a live coding session from Karl Groves demonstrating accessibilty principles in JavaScript.

2. What do I expect to learn

My primary goal is to listen and learn about the varied perspectives in the web industry. While there will be some JavaScript covered at the conference, there are a number of other topics that may shed light on a different way of thinking, so I am approaching with an open mind.

3. How will this benefit my personal growth

I am always willing to take the time to listen to story tellers in Mississippi spaces. I come away from these types of interactions inspired and motivated, and this usually takes a direct impact through the leadership decisions I make.

Referral Link with Discount

If you would like to purchase tickets for MagnoliaJS please use the button below for a 15% discount!

Get Tickets for Magnolia JS 2023

Let's Expire Password Expiry

Too many organizations employ outmoded policies related to passwords that have been shown to be ineffective in providing security, namely, the requirement to change a memorized token on a regular periodic basis. I would like to present here various references which demonstrate that the industry standards have evolved in the last decade and do not require users to change a memorized token on a regular basis. It is best practice to require a changed password when credentials are found in other systems (I know of some orgs that use the haveibeenpwned API to provide intelligence when credentials are found on the dark web) but expiry should not be required until there is evidence a compromise has occurred.

Key paragraph from NIST Digital Identity Guidelines¹

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

PCI DSS password requirements²

Requirements set in the Payment Card Industry Data Security Standards state that passwords should only be changed on a regular 90-day basis, if it is the only authentication method available (Section 8.3.9). A stronger security posture is to require multi-factor authentication to access secure systems.

FTC persuasive article against mandatory password changes³

Lorrie Cranor, ACM and IEEE fellow & Chief Technologist at FTC (2016-2017), wrote an article that makes the point of this blog post: mandatory password changes should be reconsidered. Compellingly, she details research that has demonstrated “[an] attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account (on a typical 2009 research computer). These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily.”

Three different Microsoft articles make the case

Microsoft Security removed password expiration in v1903 of Windows 10 and Windows Server⁴

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

Microsoft 365 password policy reccommendations⁵

Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.

Robyn Hicock, Microsoft Identity Protection Team⁶

In a research article, the Microsoft Identity Protection Team identifies password expiry as an “anti-pattern” (a practice which is believed to solve a problem but in fact does not).

Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. Experiments have shown that users do not choose a new independent password; rather, they choose an update of the old one. There is evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with and then change them in predictable ways that attackers can guess easily.

One study at the University of North Carolina found that 17% of new passwords could be guessed given the old one in at most 5 tries, and almost 50% in a few seconds of un-throttled guessing. Furthermore, cyber criminals generally exploit stolen passwords immediately.

Microsoft CISO says the future is passwordless⁷

“I remember we had a motto to get MFA everywhere, in hindsight that was the right security goal but the wrong approach. Make this about the user outcome, so transition to “we want to eliminate passwords”. But the words you use matter. It turned out that simple language shift changed the culture and the view of what we were trying to accomplish. More importantly, it changed our design and what we built, like Windows Hello for business,” he says.

“If I eliminate passwords and use any form of biometrics, it’s much faster and the experience is so much better.”

Microsoft is moving towards a hybrid mode of work and, to support that shift, it’s making a push towards a Zero Trust network design, which assumes the network has been breached, that the network extends beyond the corporate firewall, and caters to BYOD devices that could be used at home for work or at work for personal communications.

References

[1] NIST 800-63B Section 5.1.1.2 Memorized Secret Verifiers

[2] PCI-DSS 4.0 Section 8.3.9

[3] FTC Time to rethink mandatory password changes

[4] Microsoft Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903

[5] Microsoft Password policy recommendations for Microsoft 365 passwords

[6] Microsoft Password Guidance

[7] Microsoft’s CISO: Why we’re trying to banish passwords forever

JXN Film Club - PODCAST REVIVAL

As a film lover in Jackson, I’ve felt compelled to identify the people in my life who love talking about movies. A few years ago, the thought had crossed my mind to start a film club and try to create some community around this shared love. I asked some friends and started organizing events, and eventually was approached about starting a podcast. That’s the brief history of Jackson Film Club (aka jxnfilmclub or JXN Film Club).

When The Fairview Sound studio was located in Belhaven, I worked with Brennan White to release 2 seasons of podcast content under the banner JXN Film Club The Podcast. My co-host was Sam Graef, a current film student at Belhaven University and co-founder of Escape the Wolf Productions. Both Brennan and Sam have moved on to other phases of life and so I am going to do something new to continue this podcasting project on my own.

If you’ve never listened to the podcast before, here’s the last episode we recorded with Brennan, featuring Brennan! It’s a great introduction to our style.

Are you on Discord

There is a chat and social app called Discord which was initially created for the gaming community. If you’ve ever used Slack or IRC, you’re going to be familiar with the channel structure of Discord Servers. I have owned and maintained a personal Discord I use for development since 2017. You can join my server using the widget under my bio on this page.

Moving forward starting with Season 3, all episodes will be generated from recorded conversations taking place on Discord. This will enable a regular schedule since guests will be completely remote. This does require that guests are registered Discord users and have access to a camera and microphone. The great part is that the Discord app lets users use the camera and most people who have a smart phone have earbuds or headphones. All the recording logistics are handled seamlessly and the only thing guests will have to do is join a voice channel at an agreed upon time.

Topics

Previously, we collaborated with our guests to come up with general topics we could have some freeform discussion about. I don’t know how well this really worked as far as exploring intellectual takes on films or the film industry, but I had fun doing it.

In addition to topics, we had a throughline of Top 20 episodes. These conversations focused on a guest’s Top 20 favorite movies, a list they compiled ahead of time. I’ve collected all of the lists we turned into episodes on my Letterboxd. I’ll continue to catalogue JXN Film Club podcast content on Letterboxd as is appropriate.

Considering that Seasons 1 and 2 were primarily recorded in the living room studio of The Fairview Sound, the conversational nature of our topics relied a lot on in-person chemistry. I’m not concerned that chemistry won’t be possible using Discord but I do believe it will feel very different. I look forward to exploring the challenges to recording a podcast using this digital platform.

Be Our Guest

So far we’ve had lots of interesting local guests, but I am excited about the potential of opening the podcast to feature guests from anywhere in the world! If you think you’re up for the task and want to learn more about the podcast recording schedule, please respond to the form below!

Wearable Tech and Telehealth

Years ago, I was a contributor for the student newspaper The Reflector at Mississippi State University. I published articles under news, opinion, and life categories. In one particular opinion article (pdf) originally published in September, 2014, I am found invoking the famous “Websters Dictionary defines…” to discuss the innovation of the Apple Watch. My opinion in the article was that the watch was fashion, and that Apple would fail miserably, and here I am now eating crow.

As I write, I’m wearing an Apple Watch. It’s only my second device in 6 years and I can say it has definitely changed my relationship to technology in ways I didn’t anticipate. More on that later.

Telehealth and wearables

In 2021, my colleague Jack Mazza completed an honors thesis in which he surveyed the future of wearable technology in telehealth. His work included building a sample app and generating data using his own wearable and canvassing healthcare professionals at University of Mississippi Medical Center in Jackson. His proof-of-concept app demonstrated to Jack the various data his own wearable offered him, and his survey questions reflected a perspective of telehealth and wearable data that is well-rounded. You can read his findings for yourself by reviewing his thesis (pdf), and here’s a quick quote that will convince you it’s worth 5 minutes of your time:

The results showed overwhelmingly that healthcare professionals believe wearable technology could greatly aid the Tele-Health communications process for both patients and healthcare workers alike. The addition of the data could help many diagnoses be more accurate and give patients better care.

In general, Jack’s main question was about whether wearable data was considered trustworthy by medical professionals. The findings are generally optimistic about wearable tech and its impact on simplifying communications between doctors and patients.

My experience with wearable tech

My first Apple Watch was a Series 3, which I believe was the first time the product was offered with cellular. I managed to keep that device for over 2 years before I upgraded to a Series 6. Not only have the devices withstood my normal traffic, I was able to sell my first watch on the cheap.

One of the first things I realized when I started wearing an Apple Watch was that I received way too many push notifications. Since then, nearly everything is silenced except for text messages and phone calls. The watch had replaced the buzzing in my pocket and made me more concious of how often my phone distracts me.

The health tracking features of the Apple Watch are primarily what Jack’s thesis explored and I can attest to their own usefulness in my life. It has been an infrequent occurrence but I have experienced occasional panic attacks. The meditation feature on the watch helped me practically by giving me an activity I could focus on to calm down during some attacks, as well as giving me biometric feedback by showing my heart rate was lowering over time.

I haven’t needed to share the data with any doctors yet but every now and then I make use of the ECG feature introduced in the Series 6 to graph my heart rate.

Conclusion

Wearable tech and telehealth should be adopted in areas with low access.

michaellamb.dev announcements

I will be hosting a podcast session for jxnfilmclub in my dev Discord server on July 12

Anyone is welcome to join the conversation, just reach out to me on my server or by DM for more details

C Spire Gaming will be hosting Community Game Night on July 20

Zack Sistrunk will be looking for a squad in Planetside 2 on PC Watch on Twitch or join in on Discord

I’m on Threads

New Song Recommendation

An overview of LinkStack

My Self-hosted Link Sharing Hub

I use LinkStack as an app at link.michaellamb.dev and have added it to my social media pages as a link dashboard. I often share the link to the app with new contacts to give them all the options to connect with me. There are even a few other users on my LinkStack with their own pages as the app has an admin feature and a registration toggle (disabled by default). My instance of LinkStack is running in the Raspberry Pi cluster¹ I have documented in the past².

LinkStack is an open source project which solves link sharing and management of shared links. It offers a customizable page like Linktree, but with so much more opportunity and freedom – as long as you’re comfortable starting a Docker container!

I trust the project’s documentation on GitHub and recommend using that to determine how you might want to add this free and available resource to your web properties.

LinkStack vs. Linktree

Features

Linktree is a very quick and simple solution for creating a list of links with customizable buttons, colors, and backgrounds but its features are limited. Linktree intentionally limits these features to ensure only the most user-friendly experience is possible on their platform. When compared to LinkStack, Linktree has no feature that comes close to the Themes offered by default with new instances of a LinkStack app. Custom Themes in LinkStack gives users the ability to design their page exactly how they like it.

Hosting

LinkStack offers a robust platform with the option to host yourself or host on their servers. Self-hosting a LinkStack app is straightforward and can happen in a few clicks. LinkStack’s inspiration is to empower data ownership among individuals and groups who need a reliable and autonomous solution for sharing links. Alternatively, you may find using a hosted instance might be right for you. The LinkStack org provides low-cost hosting in addition to their community instance program which anyone can use for free.

Linktree isn’t a project, it’s a product. Their pricing model is a higher premium than LinkStack’s.

Support

Because it is an open source project, LinkStack offers community support on Mastodon and Discord.

Developer Contribution Guide

LinkStack is written in PHP with the Laravel framework. Developers may contribute bug reports, code discussions, code fixes, and new features. The Discord server is where communication around this work takes place. The maintainers use GitHub Flow as an integration strategy.